You are using an unsupported command-line flag: --no-sandbox. Stability and security will suffer.

[Nathan L.]

I'm getting this message when starting Chrome with the --no-sandbox flag. Any one here knows why please?

I'm new to Google NaCl/PNaCl framework. I'm trying to build, run and debug my first PNaCl sample app. I'm working with pepper_36 & Chrome "Version 36.0.1985.125 m" on Windows 7.

Here's the command:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox

Thanks,

Nathan

[Nick Bray]

--no-sandbox disables one of Chrome's more important security mechanisms.  This is sometimes necessary for development, for example when you want to redirect stdout to disk and the sandbox would otherwise prevent writing data to the disk.  It would be seriously unwise to disable the sandbox when surfing the web, however.  Only disable it if there is a specific reason to do so.  The warning means --no-sandbox is dangerous and you should only use it if you really know what you're doing.

--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-di...@googlegroups.com.
To post to this group, send email to native-cli...@googlegroups.com.
Visit this group at http://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.

[Nathan L.]

Thanks for the reply. I'm trying to debug a PNaCl application as per Google instruction here:

https://developer.chrome.com/native-client/devguide/devcycle/debugging

Based on the Chrome message. I get the impression that the flag is not supported by Chrome. I can understand if Chrome does actually disable sanboxing & give me a warning! But I don't think that is the case here because I'm getting a Permission denied from nacl-gdb when trying to get a nexe translation as described in my other posting:

C:\NaCl_SDK\pepper_36\getting_started\part1>C:\NaCl_SDK\pepper_36\toolchain\win_x86_newlib\bin\x86_64-nacl-gdb
GNU gdb (GDB) 7.6.50.20131211-cvs 20140408 (Native Client r13014, Git Commit ef0bd30c46a9066309396c37b10a8ff9a726faf3)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "--host=x86_64-w64-mingw32 --target=x86_64-nacl".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) target remote localhost:4014
Remote debugging using localhost:4014
0x000000000fd000a0 in ?? ()
(gdb) remote get nexe C:/Temp
C:/Temp: Permission denied.
(gdb) continue
Continuing.

I'm suspicious that is due to the fact that sandboxing has not been disabled!

On Wednesday, July 23, 2014 5:52:17 PM UTC-7, Nick Bray wrote:

--no-sandbox disables one of Chrome's more important security mechanisms.  This is sometimes necessary for development, for example when you want to redirect stdout to disk and the sandbox would otherwise prevent writing data to the disk.  It would be seriously unwise to disable the sandbox when surfing the web, however.  Only disable it if there is a specific reason to do so.  The warning means --no-sandbox is dangerous and you should only use it if you really know what you're doing.

On Wed, Jul 23, 2014 at 5:25 PM, Nathan L. wrote:

I'm getting this message when starting Chrome with the --no-sandbox flag. Any one here knows why please?

I'm new to Google NaCl/PNaCl framework. I'm trying to build, run and debug my first PNaCl sample app. I'm working with pepper_36 & Chrome "Version 36.0.1985.125 m" on Windows 7.

Here's the command:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox

Thanks,

Nathan

--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsub...@googlegroups.com.

[Victor Khimenko]

Is it faithful representation of your debugging attempt? Because here it looks like you are supplying C:/Temp as the name of your nexe file. I seriously doubt that C:/Temp is a file. Most likely it's a directory and could not be opened as file. Sandbox or no sandbox.

On Wednesday, July 23, 2014 5:52:17 PM UTC-7, Nick Bray wrote:

--no-sandbox disables one of Chrome's more important security mechanisms.  This is sometimes necessary for development, for example when you want to redirect stdout to disk and the sandbox would otherwise prevent writing data to the disk.  It would be seriously unwise to disable the sandbox when surfing the web, however.  Only disable it if there is a specific reason to do so.  The warning means --no-sandbox is dangerous and you should only use it if you really know what you're doing.

On Wed, Jul 23, 2014 at 5:25 PM, Nathan L. wrote:

I'm getting this message when starting Chrome with the --no-sandbox flag. Any one here knows why please?

I'm new to Google NaCl/PNaCl framework. I'm trying to build, run and debug my first PNaCl sample app. I'm working with pepper_36 & Chrome "Version 36.0.1985.125 m" on Windows 7.

Here's the command:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox

Thanks,

Nathan

--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsub...@googlegroups.com.

To post to this group, send email to native-cli...@googlegroups.com.

Visit this group at http://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to native-client-di...@googlegroups.com.

[Nathan L.]

Google's documentation:

(gdb) remote get nexe <path-to-save-translated-nexe-with-debug-info>

(gdb) file <path-to-save-translated-nexe-with-debug-info>

remote get nexe <path>

This saves the application’s main executable (nexe) to <path>. For PNaCl, this provides a convenient way to access the nexe that is a result of translating your pexe. This can then be loaded with the file <path> command.

So, based on Google above C:/Temp should be a directory for Chrome to place the generated nexe file. Chrome is supposed to take the debug version of the PNaCl file (.bc ) and generate a .nexe from it with debug symbols. The "file" command tells gdb where the .nexe file is located. 

Does anyone know if any of Google's employed subject matter experts read the posts on this discussion group?

To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsubscri...@googlegroups.com.

To post to this group, send email to native-cli...@googlegroups.com.

Visit this group at http://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.

[Jan Voung]

Hi Nathan,

I wrote that bit of documentation, and I can edit it to be more clear.

On Thu, Jul 24, 2014 at 9:44 AM, Nathan L. <nathan...@gmail.com> wrote:

Google's documentation:

(gdb) remote get nexe <path-to-save-translated-nexe-with-debug-info>

(gdb) file <path-to-save-translated-nexe-with-debug-info>

remote get nexe <path>

This saves the application’s main executable (nexe) to <path>. For PNaCl, this provides a convenient way to access the nexe that is a result of translating your pexe. This can then be loaded with the file <path> command.

Victor is right.  This is meant to be the name of the nexe *file*, not the directory that will contain the file. Path doesn't always mean directory. At least from wikipedia (http://en.wikipedia.org/wiki/Path_(computing)):

"A path, the general form of the name of a file or directory, specifies a unique location in a file system".

Anyway this is clearly confusing, but I can always edit the doc to use a different term, and show a concrete example.

Basically, "remote get" will copy the translated nexe from your browser cache to a more recognizable and easy to type location.

E.g. "remote get nexe C:\temp\temp.nexe" will copy a file from

"C:\User\XYZ\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\f000022"

 to

"C:\temp\temp.nexe"

Then you can type in "file C:\temp\temp.nexe", instead of "file C:\User\XYZ\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\f000022".

Similar for the "remote get irt" command. That makes a copy of the IRT to another file with a name that is easier to type. In the future, we can try to make some of this more automated.

Hope that helps,

- Jan

To unsubscribe from this group and stop receiving emails from it, send an email to native-client-di...@googlegroups.com.

[Nathan L.]

Hi Jan,

Sorry my bad. I didn't read Victor's response carefully. But I did figure out on my own the path meant full path including the file name & was about to post my discovery when I noticed your response.

Here's one more thing I discovered which is more in line with the posting title. Again as per Google's documentation:

--no-sandbox

Turns off the Chrome sandbox (not the Native Client sandbox). This enables the stdout and stderr streams, and lets the debugger connect.

I'm not sure about enabling stdout & stderr streams, but he key point here I've noticed is letting the debugger to connect. So, if nacl-gdb is able to connect to Chrome, this means that Chrome has accepted/honored --no-sandbox flag. So, the "unsupported command-line flag" is misleading.

C:\NaCl_SDK\pepper_36\getting_started\part1>C:\NaCl_SDK\pepper_36\toolchain\win_x86_newlib\bin\x86_64-nacl-gdb

(gdb) target remote localhost:4014
Remote debugging using localhost:4014
0x000000000fd000a0 in ?? ()

(gdb) remote get nexe C:/NaCl_SDK/logs/temp.nexe
Successfully fetched file "nexe".
(gdb) file C:/NaCl_SDK/logs/temp.nexe
A program is being debugged already.
Are you sure you want to change the file? (y or n) y
Reading symbols from C:/NaCl_SDK/logs/temp.nexe...done.
(gdb) remote get irt C:/NaCl_SDK/logs/nacl_irt_x86_64.nexe
Successfully fetched file "irt".
(gdb) nacl-irt C:/NaCl_SDK/logs/nacl_irt_x86_64.nexe
Reading symbols from C:/NaCl_SDK/logs/nacl_irt_x86_64.nexe...(no debugging symbols found)...done.
(gdb) break hello_tutorial.cc:98
Breakpoint 1 at 0x20c00: file hello_tutorial.cc, line 98.
(gdb) continue
Continuing.

Thanks for all your help.

Nathan L.

[Jan Voung]

Glad it worked! I think "unsupported" is not intended to mean that it doesn't do anything. Chrome will honor the flag, as you've seen w/ the debugger. I think it just means that it's dangerous to leave that flag enabled for general web surfing, and we can't help (support) your computer, if turning the sandbox off leads to a vulnerability being exploited and that leaves your computer in a bad state.

- Jan

To unsubscribe from this group and stop receiving emails from it, send an email to native-client-di...@googlegroups.com.

[Victor Khimenko]

On Fri, Jul 25, 2014 at 4:21 AM, 'Jan Voung' via Native-Client-Discuss <native-cli...@googlegroups.com> wrote:

Glad it worked! I think "unsupported" is not intended to mean that it doesn't do anything. Chrome will honor the flag, as you've seen w/ the debugger. I think it just means that it's dangerous to leave that flag enabled for general web surfing, and we can't help (support) your computer, if turning the sandbox off leads to a vulnerability being exploited and that leaves your computer in a bad state.

- Jan

Nonetheless the whole message is confusing. Think about first part: "You are using an unsupported command-line flag: --no-sandbox". If message will contain just that then 99% of people will understand that as "that flag was supported some time before, but not anymore, you'll need to use something else instead". Now, the second part "Stability and security will suffer" kind of clarifies the issue and gives a hint that yes, flag actually does something, but still the whole message is confusing.

Perhaps something like "You are using dangerous flag --no-sandbox. This is an unsupported mode. Stability and security will suffer." will be clearer? What do you think?

[Pawel Misiurski]

I agree that this information is confusing. I'm using the flag to see stdout and at first I thought that I misspelled the flag, but no the flag is correct but the message is wrong.